With IT and OT convergence, ther’s no way people are going to lose their jobs. We all have too much to do for anyone to be redundant. Additionally, there is a well-known shortage of skilled workers in this area.

Security awareness and training: a combination of people, process, and technology.

“Airgap security” does not address “people, process and technology”. Airgap is NOT security (on its own). Airgap is not a pervasive security architecture.

On average we see 11 direct connections between [enterprise and OT] networks — Subcommittee on National Security, May 25 2011 hearing

How do we secure the IoT?

Risk management (assessment)

Reference architecture

Controls design & implementation

Security operations

Continuous security lifecycle (go back to #1)

34% of audience members worked at places that either didn’t or weren’t sure if they perform cybersecurity risk assessments today. (Changed to 17% after he explained his take on risk assessments)